defirisk.co
rubric v1.7.0

Post-audit code changes without re-audit

Lombard Finance's assessment for RD-F-139 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Most recent Ethereum upgrade: 2026-04-24. Most recent audit end: OZ multipauser 2026-04-09 (15-day gap). Sherlock multipauser+bridge: 2026-04-01 (23-day gap). The April 2026 audits listed BaseLBTC/NativeLBTC/StakedLBTC/BridgeV2 in scope, suggesting the upgrade is plausibly within scope, but explicit commit SHA correspondence is unconfirmed. GitHub audit README warns: 'Some of the contracts were modified after they were audited.'

Sources #

  • Audit
    https://raw.githubusercontent.com/lombard-finance/evm-smart-contracts/main/docs/audit/Sherlock_multipauser_bridge_04_26.pdfretrieved 2026-05-05
  • Tx
    0x70e7eb22979240dd2d86009d353e90e9ea597d47069a6e81214461e51f6c6ce4retrieved 2026-05-05
  • GitHub
    https://github.com/lombard-finance/evm-smart-contractsretrieved 2026-05-05
  • Audit
    https://raw.githubusercontent.com/lombard-finance/evm-smart-contracts/main/docs/audit/OZ_multipauser_04_26.pdfretrieved 2026-05-05

Methodology #

Count deployed changes to audited bytecode where no subsequent audit or spot-review covers the changed code.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol lombard factor RD-F-139 score yellow collected_at 2026-05-05 12:03:08